Javascript Client Storage Exposure
Description
Detects when sensitive data is stored in client-side storage mechanisms (localStorage, sessionStorage, cookies) in JavaScript code. This is a security risk since client-side storage is accessible through browser tools and can expose sensitive information to malicious actors.
Detection Strategy
• Check for usage of client-side storage APIs like localStorage, sessionStorage, or document.cookie in JavaScript code
• Identify when sensitive data or credentials are being stored in these client storage mechanisms
• Report a vulnerability when data is stored in client storage without proper security controls or encryption
Vulnerable code example
function storeCredentials(userData, authToken) {
// VULNERABLE: Storing sensitive authentication data in sessionStorage
sessionStorage.setItem('token', userData.totp_token);
sessionStorage.setItem('password', authToken);
// Non-sensitive storage (safe)
sessionStorage.setItem('lastLoginDate', new Date().toISOString());
}✅ Secure code example
function storeCredentials(userData, authToken) {
// Store sensitive data encrypted using a secure encryption function
const encryptedToken = encodeAndObfuscate(userData.totp_token);
const encryptedAuth = encodeAndObfuscate(authToken);
// Store encrypted values instead of raw sensitive data
sessionStorage.setItem('enc_token', encryptedToken);
sessionStorage.setItem('enc_auth', encryptedAuth);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.